Bug 752022 (CVE-2011-4129) - CVE-2011-4129 libsocialweb: Untrusted connection to Twitter without user's approval upon service start via dbus
Summary: CVE-2011-4129 libsocialweb: Untrusted connection to Twitter without user's ap...
Status: CLOSED CURRENTRELEASE
Alias: CVE-2011-4129
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20111108,reported=2...
Keywords: Security
Depends On: 752459
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-08 11:13 UTC by Sandu Adrian
Modified: 2019-06-08 18:57 UTC (History)
12 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2012-01-06 16:04:26 UTC


Attachments (Terms of Use)

Description Sandu Adrian 2011-11-08 11:13:37 UTC
Description of problem:
Whenever I boot I see a connection to twitter servers even though I didn't add any online accounts ( and I don't have twitter ). I don't like nor want the web services.

Version-Release number of selected component (if applicable):
16

How reproducible:
ALL THE TIME

Steps to Reproduce:
1.boot up
2.look at the connections
3.grep for "socialweb"
  
Actual results:
1 connection to some twitter server
tcp       28      0 10.10.18.71:48311           199.59.149.232:443          CLOSE_WAIT  1529/libsocialweb-c 


Expected results:
NO CONNECTIONS

Additional info:
It might be great for people who use those services, but I don't want my system to have anything related to twitter/facebook or other crap, even more when it tries to make connections without my approval. It's also weird that gnome-shell depends on this stuff !

Comment 1 Henrik Nordström 2011-11-08 12:36:35 UTC
I would rate this as a security issue by two aspects:

* It's a hidden Twitter "bug" that gives Twitter information on every successful Fedora 16 user login to gnome shell in default installation. Without any consent given by the user or any indication that any such notification is taking place.

* no verification of the SSL connection is attempted, leaving the exchange wide-open to mitm attacks which I suspect may open up for possible twitter session theft if there is an twitter network account.


In addition there is a separate minor bug where the twitter client apparently forgets to close the connection, leaving it in CLOSE_WAIT state until logout.


Example data sent to api.twitter.com, extracted by a trivial mitm attack using openssl s_server with a dummy self-signed certificate for a completely different service and iptables nat to redirect the traffic there:


GET /friends/ids.xml?screen%5Fname= HTTP/1.1
Host: api.twitter.com
Authorization: OAuth realm="", oauth_nonce="3721916599", oauth_consumer_key="7MXEzcmLr0ro5buVLd37Dw", oauth_signature="nEWrwNMAnzn8OqtBw5L5ZbKXyXY%3D", oauth_version="1.0", oauth_timestamp="1320754869", oauth_signature_method="HMAC-SHA1"
Connection: Keep-Alive

Comment 2 Henrik Nordström 2011-11-08 12:44:39 UTC
A temporary workaround is to

  chmod 0 /usr/lib64/libsocialweb/services/libtwitter.so

to prevent the twitter client from loading.

Comment 3 Peter Robinson 2011-11-08 13:18:46 UTC
libsocialweb doesn't run on its own, it gets started by something else via dbus on request. Looking through the deps on a standard gnome-desktop I suspect this is folks as its the only thing that links against it directly. Whether this is then requested by something that then uses folks such as gnome-contacts, gnome-online-accounts or empathy one of the gnome team would need to confirm

Comment 4 Henrik Nordström 2011-11-08 16:30:30 UTC
fact remains that the twitter service is doing a unasked and silent transaction with twitter each time it gets started with no obvious way to disable. 

looking at the code it seems it tries to avoid this by cheking for a NULL API key, but for some reason it still tries even when there is no twitter account configured. (empty but not NULL? or is there some default public api key?)


service/twitter/twitter.c line 512

Comment 5 Jan Lieskovsky 2011-11-09 15:03:57 UTC
(In reply to comment #1)
> I would rate this as a security issue by two aspects:
> 
> * It's a hidden Twitter "bug" that gives Twitter information on every
> successful Fedora 16 user login to gnome shell in default installation. Without
> any consent given by the user or any indication that any such notification is
> taking place.
> 
> * no verification of the SSL connection is attempted, leaving the exchange
> wide-open to mitm attacks which I suspect may open up for possible twitter
> session theft if there is an twitter network account.

This truly is a security issue. It's a very bad programming custom to open
untrusted remote connection without user's approval by default (upon service
start).

I have stolen this bug to be a 'Security Response' product one. Thank you
for notifying us about this.

Comment 6 Jan Lieskovsky 2011-11-09 15:05:10 UTC
This issue affects the version of the libsocialweb package, as shipped with Fedora release of 14, 15, and 16. Please schedule an update (once final upstream patch known).

Comment 7 Jan Lieskovsky 2011-11-09 15:19:38 UTC
CVE request:
[1] http://www.openwall.com/lists/oss-security/2011/11/09/3

Comment 8 Jan Lieskovsky 2011-11-09 15:20:39 UTC
Created libsocialweb tracking bugs for this issue

Affects: fedora-all [bug 752459]

Comment 9 Vincent Danen 2011-11-09 18:16:10 UTC
This issue was assigned the name CVE-2011-4129.

Comment 10 Rob Bradford 2011-11-10 16:35:35 UTC
Hi, thanks for bringing this to my attention.

As Henrik highlighted there are two issues:

* A bug where the views will try and fetch content from the web service even if they aren't configured.

I fixed this for twitter in:

http://git.gnome.org/browse/libsocialweb/commit/?id=8982cf504cf3767761fe85d9558beab3d9da5bec

and

http://git.gnome.org/browse/libsocialweb/commit/?id=0086bfbfc07345438123a87957e0bc12226e2b94

Many of the backends were derived from twitter so also need an audit to check if they have correct behavior - i'll do that and fix those today and make a new release.

* Secondly we should enforce that the SSL certificate is valid - i've done that by fixing librest:

https://bugzilla.gnome.org/show_bug.cgi?id=663783

I'll be making a new librest release today too.

Comment 11 Rob Bradford 2011-11-10 18:39:45 UTC
There is a new librest release that forces trusted certificates - http://ftp.gnome.org/pub/GNOME/sources/rest/0.7/rest-0.7.12.tar.xz

Comment 12 Peter Robinson 2011-11-11 09:15:49 UTC
> Many of the backends were derived from twitter so also need an audit to check
> if they have correct behavior - i'll do that and fix those today and make a new
> release.

Hi Rob, do you have status on a updated libsocialweb?

Comment 13 Rob Bradford 2011-11-12 11:13:47 UTC
Peter, I just uploaded a 0.25.20 to the gnome servers - should be a available in a few minutes.

Comment 14 Peter Robinson 2011-11-12 12:59:28 UTC
(In reply to comment #13)
> Peter, I just uploaded a 0.25.20 to the gnome servers - should be a available
> in a few minutes.

Rob: thanks, much appreciated

Comment 15 Fedora Update System 2011-11-25 02:26:49 UTC
rest-0.7.12-1.fc16, libsocialweb-0.25.20-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2011-11-29 00:02:51 UTC
rest-0.7.12-1.fc15, libsocialweb-0.25.20-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Peter Robinson 2012-01-06 16:04:26 UTC
All fixed


Note You need to log in before you can comment on or make changes to this bug.